Wednesday, September 5, 2018

In our last post we tried to shed some light at what seemed to appear as a very
common PayPal phishing email at first glance, but evidently turned out to be connected to a quite larger and more unique campaign the deeper we looked at. When we investigated that single email, we were actually able to discover a wide ranging spam group originating
from Indonesia which looked to be responsible for the phishing activity we originally saw. Through that seemingly common PayPal phishing email, we found out that an Indonesian
group was targeting various well-known companies’ customer base by mass sending
phishing emails via uniquely identifiable Twitter shortened URL redirections.

They have done so with
great success, as we demonstrated by showing you some of the attacker’s self-shared
screenshots of incoming victim credit card information. And we last left off by identifying some additional Twitter handles
spreading phishing links and hunting some more connected infrastructure to that
specific campaign.

Since our last update on the matter,
we’ve continued to monitor this group’s activity, passing along our findings to
relevant parties. However, in the process of studying this group, we’ve also discovered
a secondary set of the Indonesian spamming community in addition to the already
identified SlackerC0de and Spammer ID from our previous post. This secondary group uses a set of slightly
different tools and techniques, but stays true to the identical core of collective
financial scamming efforts which we've previously written about.

SendInboxWhile we were looking at what the Spammer ID guys were doing in their group, we saw that they began discussing an additional mailing tool they were using called "Sendinbox". Up to this point we saw that they were mainly sharing their use of mailing tools like "heart sender" and "GX40 sender". We've also seen the Spammer ID group try and use XAMPP with sendmail from their localhost relaying through SlackerC0de infrastructure. They used these methods along with web based tools on their group websites like the ones we saw them make available on tool[.]slackerc0de[.]us. When we took a look at what "Sendinbox" was - we saw that it was a PHP tool based on the popular PHPMailer library. After we started going through the group's chat we witnessed them discuss how they're setting this tool through their shared group servers mainly using Apple and PayPal phishing letters as their payload.

As you can see from the above screenshots, the 'Sendinbox' tool lets the attacker send a set of many emails at once with a preconfigured scam message through mail relay servers. In this example an attacker is testing if his emails are being received as regular inbox mails or filtered as spam to his own Yahoo account. We kept seeing this type of "QA" process being taken by the different stages of server changes by the attackers.

BMarket ID"Sendinbox" is made by an "Eka Syahwan" who runs a separate community of groups to Spammer ID on various social platforms. The main purpose for this being to provide support for his user base to whom he sold his mailer tool. A happy customer in this case brings in more potential buyers. The main website for this community - Bmarket[.]or[.]id also hosts a relay server for email campaigns hxxp://bmarket[.]or[.]id/sendinbox-server[.]phpA close knit user base such as this offers the potential scammer support for his phishing campaigns, the tool creator provides updates to the tool and workarounds to potential service blocks. Which kept amounting the more we looked at their group correspondence. Group members complained that the provided email servers were not mailing their scams successfully or that they're going to spam folders. So we witnessed a heavy shift from the recognized servers like bmarket[.]or[.]id to group members actively looking for compromised servers to relay their emails.

Group members such at the one above started looking for compromised servers to upload their sendinbox tool for future campaign use and shared them with the group. Once they've gained their successful hold on a compromised website, they uploaded their SendInbox email tool as can be seen below.

Other members also shared their use of vulnerability scanning tools to hunt for potential servers in the group chat.

Along with the proactive hunting these group members were conducting, they were monitoring another website belonging to the "Sendinbox" tool creator called IndoXploit which listed additional compromised servers for them to use in their phishing campaigns.

Eka Syahwan even lists this fact on his personal Facebook profile, along with regular updates to his scamming activity, as we can see in his most recent warning post about some rippers that recently tried to do business with him on Telegram:

Since this is a smaller community with a tendency to share their success and failures a little bit more than Spammer ID - it made it easier for us to track what they were doing in their campaigns. And this group was definitely busy - we've seen them successfully harvest many CC records via targeted email lists, ranging from alphabetically ordered emails to emails from specific sectors like large educational institutions in the US.

An email list an attacker has prepared to massively spam his phishing letters. This list is alphabetically ordered Yahoo accounts which were already validated as Apple users.

We've witnessed this group target specific sectors or user base, such as in the below example of them targeting specifically Japanese users from IT provider Softbank Japan:

This group is also sophisticated enough to socially engineer the appropriate letters for a geographically and linguistic group like these Japanese Apple users as we picked them testing out various Japanese templates, how they're received in a Japanese Yahoo, and bouncing if possible off Japanese accounts.

Successfully harvested credentials received in an attacker's email.

We only were able to look at the shared incoming credentials in the group chats, which amounted to hundreds of victims by our count. If we were to combine the credentials which weren't being shared it probably would make the true number of their victims much higher than that.

ConclusionsTraditional phishing hunting operations tend to rely on certificate and brandname watching. This tactic offers to usually be quite successful since phishing domains don't tend to have a lifespan larger than a day or two, and if by any chance the phishing page wasn't hunted, it at least is usually reported as fake by wary users. The threat that closed scamming communities such as BMarket poses is the advantage of crowdsourcing their setbacks and problems. While a single and lone scammer might quit after being unsuccessful in his attack, a strong base of experienced users, and in this case a tool creator looking to satisfy his clients will immediately fix what is being broken or detected by phish domain watchers. It also offers some confidentiality to their operations. A small group such as this is harder to track when it doesn't make much noise beyond their chat platforms. While some of their phishing domains are quickly identified, when looking at their operations - we saw that a lot of Apple and PayPal customers still fell victim to their ploy. We also think this is due to this group's heavy use of shortened and redirected links.In the grander scheme of the cybercrime landscape, it seems that relying on passive hunting may not replace actively tracking and infiltrating cybercrime groups to successfully mitigate some parts of phishing activity such as this.

IOCs

Twitter handles connected to this group:https://twitter.com/belajargila3https://twitter.com/nawalbelhhttps://twitter.com/johanes95826552https://twitter.com/jancoek14https://twitter.com/rohmatizudhttps://twitter.com/Ongki54705384https://twitter.com/test19259665https://twitter.com/wibowoandy14https://twitter.com/baringinasidohttps://twitter.com/PnatekMhttps://twitter.com/bambangkouhttps://twitter.com/Bajungan1https://twitter.com/dzakialvriano1https://twitter.com/bastian55115067https://twitter.com/pea_sanghttps://twitter.com/yusupmuhammad23https://twitter.com/akibernadhttps://twitter.com/XCrow8https://twitter.com/backes_oswaldhttps://twitter.com/kontolkleanhttps://twitter.com/AHarsakti

61.19.251.44231.100.76.3237.59.28.2445.64.1.5843.250.250.6250.87.249.8079.124.76.9595.142.80.3103.15.226.230103.247.11.50104.20.155.77104.238.117.234108.167.180.222162.241.230.74162.241.217.60186.202.153.58173.236.169.164182.70.240.119192.95.11.64192.163.208.222132.148.154.122205.178.189.131202.70.136.137204.197.252.169217.182.113.29Compromised Websites Shared By the Group:countdown-showband[.]de//images/jsspwneed.pnghttp://www.adslaminar[.]com//images/jdownloads/screenshots/jsspwned.pnghttp://www.psp2.radom[.]pl//images/jdownloads/screenshots/jsspwned.pnghttp://www.argonrostov[.]ru//images/jsspwneed.phphttp://www.oplus-conseil[.]fr//images/jsspwneed.phphttp://china.lanfa.com[.]tw//images/jsspwneed.phphttp://www.emgiasa[.]es//images/jsspwneed.phphttp://www.oplus-conseil[.]fr//images/jsspwneed.phphttp://china.lanfa.com[.]tw//images/jsspwneed.phphttp://www.emgiasa[.]es//images/jsspwneed.phphttp://www.gammi-ltd[.]ru//images/jsspwneed.phphttp://focusmobi.com[.]br//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.phphttp://syaden[.]net//images/jdownloads/screenshots/jsspwned.pnghttp://vanguardacademy-ng[.]com//sites/default/files/jsspwnx.phpmail.kingacreative[.]com|info@kingacreative.com|123123http://www.aytobareyo[.]org/sites/default/files/jsspwnx.phphttp://www.technikus[.]pl//images/jsspwneed.phphttp://devsaad[.]com/sites/default/files/jsspwnx.phphttp://certusprocess[.]com//images/jsspwned.phphttp://www.limontech[.]pl//images/jsspwneed.phphttp://gemilangasia[.]com//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.phphttp://www.colegioserecrescer.com.br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.phphttp://www.jardimexpress.com[.]br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.phphttp://vykopatkolodec[.]ru//wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/jsspwned.php*Currently unconfirmed if being used by the group.

Friday, July 20, 2018

While browsing the DC9723 group, we stumbled on a screenshot which one its group's members had just shared with the rest of the DefCon group. The group member had received what he claimed was a PayPal phishing email. He claimed he had received it in the previous day (July 14th) and that it contained a fake receipt for a purchase he had never made from an alleged Italian internet hosting company. When we looked into this "Aruba IT" company - we saw that it actually was a legitimate internet hosting and domain registration company based out of Italy. Which raised our curiosity to further look into the email itself and see if anything else could be recovered that points to any clues to this campaign, who else might be being used as a front, and if we can identify any malicious activity.

The screenshot shared by the DC9723 user.

Fake Receipt PhishingBy using a fake receipt like this, an attacker wishes to alarm that a substantial purchase had just been made in the recipient's name. Hoping such a message will motivate the recipient into taking action where a more traditional phishing email might not.

The attacker in this case copied the main PayPal template for electronic receipts, by doing so the attacker wishes to scare the recipient into logging into the PayPal site and give away their credentials.

Conveniently so, as seen in the above screenshot, a line which isn't present in a real PayPal receipt had been added -

" You don't recognize this transaction? " with an embedded link that can be seen at the bottom of the email.

In all probability, this had been added to further guide the potential target along the attacker's desired path of action in which he'd like him to take; and it serves as correlated pretext to resolve this supposed receipt misunderstanding.

Upon a further look, we can also see this email contains some spelling mistakes and mistyped numbers. Perhaps intentional to add a state of confusion to the already dire financial situation the target could feel he is in, and an even further sense of urgency to resolve this whole issue. Or more likely this just means that this was recompiled in haste.

The reply emails: receipt@intl.paypai.com, noreply@intl.pavpal.com stand out as obvious spoofs. pavpal[.]com had been seen in old phishing activity in the past and had since been registered by the actual PayPal company in probable efforts of blocking this type of activity. paypai[.]com had also been observed in numerous scamming attempts and phishing campaigns with its domain belonging to Moniker Online Services.

Using a redirection path utilizing Paypal’s own authentication API backbone to piggyback as a means of seemingly legitimate Paypal correspondence.

A victim looking to quickly resolve a financial issue might not go over the very long link, and miss the spoofed URL at the end of it - giving away his credentials to the attacker. By using a malicious iframe like this, a sophisticated campaign can be achieved relying on a victim’s

innocence.

Source code.

Screenshot of the Spoofed login page.

Twitter Activity

From this point on, we only had the now blocked websites left to go over, however since we can trace back activity to Twitter - we can actually hunt for anyone that was spreading these links and see if there’s any new activity, or maybe even find out who is behind this. This is due to the attacker’s choice of a t.co shortened link.We were able to identify the following accounts that seem be based out of Indonesia:

https://twitter.com/StyleC0de

https://twitter.com/nugslackerc0de

https://twitter.com/shortermrguest

https://twitter.com/uboldmild

https://twitter.com/AqsaAssegaf

All of these accounts were using the same method and similar links. The original link from the screenshot could be found being spread by @uboldmild

Tweet of the original link.

As an elementary step of an investigation like this we checked for the usernames and names left by these individuals.

The Twitter user “Donna Curry” was registered under the handle ‘uboldmild’. Once we pivoted it to a simple search engine search, we managed to find it was connected to numerous phishing websites with the same scheme registered under the email uboldmild@yahoo.com.

Websites such as :

step-verivy[.]com

app-recoveryicloud[.]com

data-recoveryicloud[.]com

idmsa-accounts-security[.]com

datarecoveryicloud[.]com

com-verifyaccountappstore[.]info

responsibilitiesmacintosh[.]com

By looking at the Twitter account we can further correlate this by looking at what sort of links have been tweeted out by the user:

With what looks like the first tweet being made to test out how the link shortener works on June 2017.

This shows us how the phishing kits they used may have evolved along the past year, the same initial weaponization point of utilizing Twitter’s link shortener had not. When checking the rest of the users, we found that the user @StyleC0de has been doing the same - which can be seen through his Twitter account as well, however, he has done so under his actual name which can be traced back to numerous social media profiles he has under his name. Including a Youtube video showing a script he intended to sell in 2017:

His latest exploit which was still live when we were writing this post is the one we showed you under his still currently used username/calling card ‘StyleC0de’.

SlackerC0de spam group

SlackerC0de is an Indonesian hacking group popping into activity around 2015 with various low level scripts aimed at financial scams.When we checked the user @nugslackerc0de from Twitter, his username stood out as well. This was what led us to the Indonesian group which can be found at slackerc0de.us - and this group might actually prove to be the potential connection point between these Indonesian users.

An Apple account checker script shared on Pastebin.

The main name that kept popping up at various source codes belonging to the group was a ‘Malhadi Jr.’ with websites like malhadi.slackerc0de.us hosting online tools like email bots and account checkers. Along with even an old personal Github account - https://github.com/MalhadiJr sharing similar repositories.

We managed to see that one of his tools was used for a phishing website last year with a similar URL.

Source: ServiceHostNet

So when considering our recent finding, it indeed seemed to us like the Slackerc0de group was a key factor in identifying the common points between the different users.

Slackerc0de themselves invite any prying eyes to a public group on Telegram where they share their tools of the trade.

When we peeked inside the group, we were able to see behind the scenes of a relatively close knit group collaborating in phishing efforts, like this user asking what a good subject for Yahoo email recipients is:

A now deleted user instructing another member on his preferred link shorteners like Twitter and Owly:

And another one sharing PayPal Phishing Kit’s source code for download:

A user sharing a screenshot of using a mailer with their Apple phishing website present in the background:

We can see this Indonesian group is active with focused efforts in cheating people out of their money, adding insult to injury with boasting their success while sharing screenshots of incoming credentials:

An attacker sharing his harvested credentials.

Tactics,Techniques, and ProceduresThis group and those like it operate by initially gathering email lists, ones that can be curated manually, or downloaded from the various cyber crime forums online. Once they have an adequate enough list they will move to their next step - checking the emails for corresponding accounts. They will input the emails they have into account checkers made by the likes of Malhadi Jr from SlackerC0de and see what emails have PayPal accounts, what emails have Apple accounts by utilizing various API calls to these services and see their response. Both these companies seem to be their favorite targets.

Once they have amassed a large enough list to move on and start attacking them, these attackers will create a phishing infrastructure for the most crucial steps of their campaign. They will create an online website, mostly hosted by Amazon,Google, or Aruba (the same company they used as a fake receipt for one of their emails) from looking at how this specific group operates. They will host their phishing kit and start mass emailing their list using a bought emailer software from their closed forum marketplace or shared by somebody from the chat group.To receive the incoming credentials they manage to steal, they will set up an inbox based on free email services like Yandex. Not much skill is needed to run such a scheme - they will need to only configure the source code for their email, upload to a server, and use an email template. By going over their correspondence we saw how users with no skill whatsoever were asking for resources,more experienced users sharing them, and the backbone to these groups - the tool creators or sellers which supply the 955 members of the group with the easy means of creating their own campaign. We witnessed how they share their various setbacks after they launch their campaign, such as Amazon blocking their accounts, screwing up the %email field, failing to configure a server, and more. Meaning even an attacker at the lowest level of skill will be spoon fed the answer to his mistake and how to correct it for the campaign to work. Causing dire consequences to the victims which fall due to this criminal crowdsourcing.

An attacker sharing a screen capture of his Phishing email.

An attacker sharing a screenshot in hopes of troubleshooting an error.

An attacker sharing a screenshot of his blocked Amazon account.

Historical ObservationsWe then tried to look for historical correlation and past activity this group may have been connected to, so we started looking through RecordedFuture’s threat intelligence platform for further relationships and activity.

When we initially looked at the main domain - we were looking for what malware RecordedFuture may have seen connected to SlackerC0de[.]us, if any at all. In this case we were able to see that some ransomware activity and various intertwined domains were connected to SlackerC0de[.]us.

Source: RecordedFuture

So we continued to look for connected phishing campaigns, and saw that prior to the July 2018 PayPal and Apple campaign that started our investigation, the group ran earlier campaigns in January - mainly targeting Apple and Facebook users.

Source: RecordedFuture

Meaning this group is probably constantly busy all year round targeting all the varied popular services in efforts of scamming people out of their money and credentials.

IOCs

t[.]co-d3gbfd[.]city

www.paypal.com-appredno[.]info

source-notice[.]ldweblogin.appleid.ldapple.idwebtrue-loginid[.]com

www.pyapal[.]com-websecurity[.]app

r2.direckkuy1[.]net

r1.direckkuy1[.]co

www.paypal[.]com-serviceart[.]tech

www.paypal[.]com-serviceart[.]co

www.paypal[.]com-appredasu[.]center

www.paypa[.]com-accountverify[.]info

www.paypal[.]com-unauthorized-activity[.]com

www.pyapal[.]com-unauthorized-activity[.]report

www.paypal[.]com-resolution-centers[.]com

www.paypal[.]com-accsuired[.]center

a.redirkues[.]comwww.paypa.com-verifyinc[.]net

www.paypal[.]com-webbapps[.]center

www.paypa.com-accountverify[.]net

www.paypal.com-webappseeds[.]info

www.paypal.com-webapps-security[.]tools

mail.directseeds[.]in

www.paypal.co.uk-service[.]solutions

www.paypal.co.uk-service[.]info

direku.2.co-d3gbfd[.]in

direku.1.co-d3gbfd[.]in

www.paypal.co.uk-service[.]center

www.paypal.com-verifyseeds[.]support

www.paypal.com-accountverify[.]info

www.paypa.com-verifyseeds[.]support

www.paypal.com-verifyaccount[.]in

www.paypal.com-signinaccountsafe[.]info

www.paypa.com.lakukerascok[.]com

www.paypal.com-webappsloginaccount[.]support

www.paypal.com-webappsloginaccount[.]systems

t.co-d3gbfd[.]cc

142-4-14-169.unifiedlayer[.]com

jancokkoen[.]com

shirtmy[.]com

Lakukerascok[.]com

com-signinaccountsafe[.]info

nugra-saputra[.]com

Paypal-customer-confirm[.]com

paypal.com-webapps[.]site

paypal.com-webappsinfo[.]reviews

paypa.com.lakukerascok[.]com

paypal.com.accountinfoverifysupport[.]info

paypal.com-accountverify[.]support

paypal.accountinfoverify[.]support

paypa.com-verifyseeds[.]support

paypal.com-verifyaccount[.]center/

paypal.com-accountservice[.]infopavpal[.]com-appverifyaccount[.]me

142.4.14[.]169

3ef2bd65e746676d25e7d6e017b03cdb7b906e6de5559cffae43f03142617395

Redirects:

t.co-d3gbfd[.]city

huit[.]re/tettew

huit[.]re/shrt

huit[.]re/_Ebfo0oe

xt[.]lv/XJiEa

alif.idseedapp[.]in

huit[.]re/webappss

kuntulmaju[.]ml/cuk

huit[.]re/satumilyar

1.googleincsafe[.]org/brinjilan

DeepEnd Research has already notified Apple and PayPal of these findings prior to the publication of this post.

7/27 - Update:

Since the publication of our blog post the Twitter accounts we found along with the associated YouTube account have been suspended from each respected platform.

During this time we were also continuing to monitor for any renewed activity by any new users possibly using the same methods outlined in this campaign, since the identified ones were suspended.We managed to find that there is currently one newly registered Twitter user still using the same construct of various shortened links leading to PayPal login phishing pages:

This user is registered under the name 'Tanya D Campero' - https://twitter.com/CamperoTanya

The links tweeted out by this user lead us to the following new websites and infrastructure used by this campaign: